California Attorney General Rob Bonta has continued vigorous enforcement of the state’s landmark privacy law, the California Consumer Privacy Act (CCPA). Bonta’s office recently announced a settlement with Tilting Point Media, requiring the company to pay $500,000 in civil penalties, ensure future compliance, and submit annual reports to the California Department of Justice and the Los Angeles City Attorney’s Office.

What Did Tilting Point Do Wrong?

Tilting Point is an app developer that operates a mobile game (”SpongeBob: Krusty Cook-Off”) directed toward children. The state alleges that Tilting Point collected, sold, and shared the personal information of minors under the age of 16 without appropriate consent.

There are two separate laws at play in the settlement: The CCPA and the federal Children’s Online Privacy Protection Act (COPPA). The CCPA prohibits the sale and sharing of the personal information of anyone under the age of 13 unless a parent or guardian has given prior consent; if the consumer is between the ages of 13 and 16, the consumer may be the one who gives consent. COPPA prohibits the collection of personal information from children under 13 unless a parent or guardian consents.

These rules apply when a business has actual knowledge of (or willfully disregards) the consumer’s age or, under COPPA, operates a website or online service directed to children. There seems to be little question that the mobile game at issue falls within the scope of these rules.

Tilting Point is alleged to have violated CCPA and COPPA in two ways:

• Not collecting users’ age in a “neutral manner"
  While the app did have a mechanism to determine users’ age, the Attorney General says that “children were not encouraged to enter their age correctly to be directed to a child-version of the game.” Specifically, the default birth year was set to 1953; this made it easy for children to incorrectly indicate that they were adults while also requiring children to scroll through more than 50 years in order to correctly indicate their age.

• Misconfiguring third-party software to disclose children’s data
  The state further alleges that Tilting Point inadvertently misconfigured third-party software development kits (SDKs) so that children’s personal information was collected, sold, and shared without appropriate consent. There is no further detail about who these third parties were or what type of SDKs were involved.

In addition to paying a civil penalty of $500,000, Tilting Point must remediate its CCPA and COPPA violations and also submit annual reports to the state for the next three years detailing its efforts to stay in compliance.

‍